Cyber Viruses Infect
Schools Across Nation

As schools prepared for a new year, waves of attacks by computer
viruses temporarily shut down educational computer networks and Web
sites, disrupting some school business and costing scarce budget
dollars as technicians scrambled to fix the resulting problems.

Districts across the country had to suspend e-mail delivery, the
scheduling of students' fall classes, and other functions surrounding
the start of school. Web sites full of opening-day announcements went
dark; those that were open greeted parents with virus warnings and
instructions for installing "patches," or software code to correct the
flaws that a virus exploits.

"Just the sheer amount of effort and talent that was wasted in this
latest series of attacks, you couldn't measure," said James Hirsch, the
technology chief for the 52,000-student Plano, Texas, schools.

In Plano, a virus infected 2,800 school laptop computers, which
lacked the latest updates to virus-protection software. It spread from
the laptops to the district's computer network, forcing the district to
shut off some essential computer services, such as a system that
monitors building-security systems throughout the district.

Mr. Hirsch and other educational technology experts said the recent
global outbursts of computer viruses and worms—which also
affected computers in businesses, government agencies, and homes,
causing an all-time record for damage, according to virus
experts—couldn't have come at a worse time for schools.

And the troubles may not be over, as experts were predicting that a
widespread attack by a new version of one of the viruses, called Sobig,
would occur this week.

Malicious Code

A virus is harmful software code that is appended to another,
apparently harmless, software file; it is often activated when a user
innocently clicks on an infected file attached to an e- mail message. A
worm, equally malicious, can spread by itself, over an open network
connection, by exploiting a software flaw.

The spate of recent viruses and worms, of several basic types with
multiple variants, brought computer networks to their knees by
overloading them with thousands of signals, or "pings." The intruders
exploited flaws in widely used operating systems and Web-browser
software designed by the Microsoft Corp.

In addition, they are sometimes equipped to install "backdoors" or
"Trojan horses" on the computers they infect, an arrangement that later
allows the attacker to control the computer remotely without needing a
password.

Computer viruses and worms can spread relentlessly to any computer
on a network, when technicians and ordinary users fail to take
precautions. Standard tools such as firewalls and anti-virus software
defeat these attacks, but not if, as often happens in schools, those
defenses are not updated frequently, or if users bypass them by
bringing in laptops or computer disks from home.

Few computer users have the skills to spot these software flaws and
build totally new viruses and worms. But virus "toolkits" that have
become widely available on the World Wide Web allow people with ill
intentions and much less skill to launch their own potent
knock-offs.

That's apparently what happened with the Nachi, a worm also called
Welchia, that was first detected in early August and the Blaster
worm.

On Aug. 29, federal prosecutors in Seattle arrested Jeffrey Lee
Parson, a Minnetonka, Minn., high school student, and lodged a felony
charge against him for allegedly developing and releasing the "B
variant" of the Blaster worm. Analysts discovered that the variant had
infected thousands of computers and had attacked Microsoft's "Windows
Update" Web site.

Mr. Parson, 18, who lives with his parents and attended Hopkins High
School, made no plea at the hearing and was released in lieu of a
$25,000 bond and placed under house arrest. He will be arraigned in
Seattle on Sept. 17.

Eileen Harvala, a spokeswoman for the Hopkins school district in
Minnetonka, said Mr. Parson is currently attending a different
school.

Meanwhile, three worms almost caused the postponement of the opening
of the 75,000-student Cleveland public schools because the district
network was prevented from processing student schedules, said Alan
Seifullah, the district's spokesman.

"It was reinfecting the machines before we had finished cleaning
them," said Peter Robertson, the district's chief information officer.
"We had to take each and every machine off the network and disinfect
and update it before we reattached it."

In Cleveland, more than 6,000 of the district's 30,000 computers had
to be patched, "and many others had to be looked at machine by
machine," Mr. Robertson said. To ensure that schools opened on time on
Aug. 28, an assorted crew that varied between 30 and 100 district
personnel, student interns, and hired and loaned temporary workers
spent three days combing through 130 district buildings to install
fixes.

Ironically, school systems with newer equipment were often the most
vulnerable, as were districts that have switched to personal computers
from Macintosh computers, which were not affected by this round of
attacks.

New Computers Vulnerable

The 21,500-student Vancouver, Wash., school district had phased out
most of its Macs, said Linda Turner, the director of information and
technology services. "This summer we brought in 3,000 brand-new
PCs—that's a 'gotcha,' as well as a good thing," she said.

The "gotcha" meant that, after being infected by Nachi/Welchia, the
district network had to be turned off for a day, 10 college students
who had been summer hires were recalled to aid district technicians,
and the various systems were slowly restarted before classes began last
week.

At the 1,240- student Watertown Senior High School in Watertown,
S.D., officials in mid- August issued 1,400 new laptops to students and
teachers to kick off the school's "learning with laptops" program. But
as soon as students logged in on the first day of school, Aug. 25, the
network was flooded with messages generated by the Welchia worm.

Technicians first installed patches on the machines automatically
over the network. But a program on each laptop that was meant to remove
viruses and other unauthorized programs whenever the laptop was turned
on actually eliminated the patch. A team of 20 technicians, computer
teachers, and administrators had to collect all the laptops and spend
two days patching them.

Layers of Defense

Companies that make anti-virus software say that because of the
growing number of viruses and worms, organizations need to apply
several layers of defense against them.

The biggest difficulties that schools face can be the result of a
deliberate choice, said Larry Rogers, a senior member of the technical
staff at the CERT Coordination Center, a federally financed group at
Carnegie Mellon University in Pittsburgh that studies Internet
vulnerabilities. He noted what security experts are fond of saying: The
most secure computer system is one that is turned off.

The problem is that the requirements for ultimate security are
diametrically opposed to those for open access to information, Mr.
Rogers said.

"The challenge in the educational environment," he said,"is
providing an educational environment."

In short, schools don't want their cyber padlocks to prevent
students and teachers from discovering new things, he said, "including
visiting places they can wander into by accident."

To balance those priorities, Mr. Rogers said, schools should study
the connection between their "two businesses"—the business of
running operations and securing district information and
communications, and the business of giving people access to
information.

"It isn't quite the case that never the twain shall meet, but they
should meet in clearly defined places," he said.

Some school districts that were only minimally affected by the
recent attacks were well served by outside organizations that provide
their technology services.

For example, in New York state, the Lower Hudson Regional
Information Center used "many lines of defense" to keep viruses and
worms out of 45 districts that use the center to access Internet
services and maintain an electronic gateway for routing e-mail, said
Mike Stepowski, the center's manager of telecommunications.

"We caught pretty much all the Sobig virus and Blaster; 9,000 or
10,000 e-mails were infected per day," Mr. Stepowski said.

The nonprofit center, one of 12 in the state's Board of Cooperative
Educational Services system, also updated the virus protection
automatically for 25,000 school computers.

Networking experts say more consolidation of defenses against
viruses and worms may be needed in the future as they become more
destructive.

Microsoft, for its part, has acknowledged that there are security
vulnerabilities in its products, and says it will identify,
investigate, and remedy security vulnerabilities "when they occur,"
according to a document on the Microsoft TechNet Web site.

Coverage of technology is supported in part by the William and
Flora Hewlett Foundation.

Notice: We recently upgraded our comments. (Learn more here.) If you are logged in as a subscriber or registered user and already have a Display Name on edweek.org, you can post comments. If you do not already have a Display Name, please create one here.

Ground Rules for Posting
We encourage lively debate, but please be respectful of others. Profanity and personal attacks are prohibited. By commenting, you are agreeing to abide by our user agreement.
All comments are public.